I’m currently trying to figure something out.
I have 2 AWS Accounts.
Account A has a bucket called my_awesome_files
.
Account B has users, that would like to be able to see those documents in my_awesome_files
.
I have the following policies and roles setup:
Account A (the one who has the bucket):
role: allow-account-b-access-s3-bucket-role
policy:
{
"Statement": [
{
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my_awesome_files"
]
}
],
"Version": "2012-10-17"
}
policy: (trusted entities)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id_account_b>:root"
},
"Action": "sts:AssumeRole"
}
]
}
Account B (the one who wants to have access to the bucket):
Has a user with this attached Policy:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::<account_id_account_a>:role/allow-account-b-access-s3-bucket-role"
}
],
"Version": "2012-10-17"
}
If I read the documentation correctly, this should work.
Now to my questions:
- Is this indeed correct, or am I missing something?
- If it is indeed correct iam-configuration: Am I missing something with my laravel s3 config?
Do I need some special fancy configuration for it to get that it needs to assume that role or to make it work?
Currently, the filesystem config looks like this:
'my_awesome_files_bucket_config' => [
'driver' => 's3',
'key' => env('AWS_ACCESS_KEY_ID', 'xxxx'),
'secret' => env('AWS_SECRET_ACCESS_KEY', 'xxxx'),
'region' => env('DEFAULT_REGION', 'eu-central-1'),
'bucket' => env('MY_AWESOME_FILES_BUCKET', 'xxxx')
]
2
Answers
So I kind of figured it out. The policies are correct, but laravel filesystem automatically does not assume roles (obviously) and I didn't find a way to configure it to do so. (This would actually be a nice feature to the Filesystem lib)
So my solution was: using directly the AWS SDK to get the correct credentials, and then fetch the files from s3. This looks like this:
Then the fetching of the file is as easy as reading documentation:
No nothing about laravel, but at the AWS level the user in Account B has the permission to assume the Role, so it needs to go ahead and call something like sts.AssumeRole()